1
/*
2
 * Copyright (c) 2021 Todd C. Miller <[email protected]>
3
 *
4
 * Permission to use, copy, modify, and distribute this software for any
5
 * purpose with or without fee is hereby granted, provided that the above
6
 * copyright notice and this permission notice appear in all copies.
7
 *
8
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
 */
16

17
#include <config.h>
18

19
#include <sys/stat.h>
20
#include <stdio.h>
21
#include <stdlib.h>
22
#include <string.h>
23
#include <fcntl.h>
24
#include <unistd.h>
25
#if defined(HAVE_STDINT_H)
26
# include <stdint.h>
27
#elif defined(HAVE_INTTYPES_H)
28
# include <inttypes.h>
29
#endif
30
#ifdef HAVE_STDBOOL_H
31
# include <stdbool.h>
32
#else
33
# include <compat/stdbool.h>
34
#endif /* HAVE_STDBOOL_H */
35

36
#include <sudo_compat.h>
37
#include <sudo_debug.h>
38
#include <sudo_eventlog.h>
39
#include <sudo_fatal.h>
40
#include <sudo_iolog.h>
41
#include <sudo_plugin.h>
42
#include <sudo_util.h>
43

44
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
45

46
static int
47
fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
48
    struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
49
{
50
    int n;
51

52
    for (n = 0; n < num_msgs; n++) {
53
	const struct sudo_conv_message *msg = &msgs[n];
54

55
	switch (msg->msg_type & 0xff) {
56
	    case SUDO_CONV_PROMPT_ECHO_ON:
57
	    case SUDO_CONV_PROMPT_MASK:
58
	    case SUDO_CONV_PROMPT_ECHO_OFF:
59
		/* input not supported */
60
		return -1;
61
	    case SUDO_CONV_ERROR_MSG:
62
	    case SUDO_CONV_INFO_MSG:
63
		/* no output for fuzzers */
64
		break;
65
	    default:
66
		return -1;
67
	}
68
    }
69
    return 0;
70
}
71

72
int
73
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
74
{
75
    struct iolog_file iolog_file = { true };
76
    struct timing_closure closure;
77
    char logdir[] = "/tmp/timing.XXXXXX";
78
    int dfd = -1, fd = -1;
79

80
    initprogname("fuzz_iolog_timing");
81
    if (getenv("SUDO_FUZZ_VERBOSE") == NULL)
82
	sudo_warn_set_conversation(fuzz_conversation);
83

84
    /* I/O logs consist of multiple files in a directory. */
85
    if (mkdtemp(logdir) == NULL)
86
	return 0;
87

88
    /* Create a timing file from the supplied data. */
89
    dfd = open(logdir, O_RDONLY|O_DIRECTORY);
90
    if (dfd == -1)
91
	goto cleanup;
92

93
    fd = openat(dfd, "timing", O_WRONLY|O_CREAT|O_EXCL, S_IRWXU);
94
    if (fd == -1)
95
	goto cleanup;
96

97
    if (write(fd, data, size) != (ssize_t)size)
98
	goto cleanup;
99
    close(fd);
100
    fd = -1;
101

102
    /* Open the timing file we wrote and try to parse it. */
103
    if (!iolog_open(&iolog_file, dfd, IOFD_TIMING, "r"))
104
	goto cleanup;
105

106
    memset(&closure, 0, sizeof(closure));
107
    closure.decimal = ".";
108
    for (;;) {
109
	if (iolog_read_timing_record(&iolog_file, &closure) != 0)
110
	    break;
111
    }
112
    iolog_close(&iolog_file, NULL);
113

114
cleanup:
115
    if (dfd != -1) {
116
	if (fd != -1)
117
	    close(fd);
118
	unlinkat(dfd, "timing", 0);
119
	close(dfd);
120
    }
121
    rmdir(logdir);
122
    fflush(stdout);
123

124
    return 0;
125
}
126

127
/* STUB */
128
bool
129
iolog_swapids(bool restore)
130
{
131
    return false;
132
}
133

134